Static Application Security Testing for Early Vulnerability Identification

Profile image for chiranjeevi345
March 10, 2018 | Views: 2810

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here


Static Application Security Testing(SAST) or Secure code review is an inside-out (White box) test approach to identify the security vulnerabilities at code level.

It is essential for an organization to identify and fix the security vulnerabilities at development stage to avoid last minute rush and improve the code quality which reduces the application risk. SAST tools can be integrated with developer’s IDEs (Integrated Development Environment) where they can track their code quality which in-turn improves the security quotient of the application. It will be easier for a developer to fix the issues from SAST report as the SAST report points the vulnerable code with exact location (Line number).

SAST can be applied for both Stand-Alone (Thick Client) applications and Browser-based (Thin Client) applications, however the SAST tool should support the programming language used to develop the application.

Code review tools will generally identify the data flow points/variables and track them to their execution points to validate the piece of code and hence report the vulnerable execution points, which means SAST is effective means of finding for vulnerabilities such as SQL injections, Buffer Overflow, Cross-Site Scripting etc…

Con-side of the SAST is, SAST cannot identify the configuration issues and also issues related TLS etc.. which cannot be included in the source code. However, SAST, for that matter no testing method alone can give us the 100% confidence over application’s security. Combination of different testing methodologies such as SAST, DAST, IAST etc… will give us the good amount of confidence over application’s security.

We have various commercial and open source tools for Static Code review such as:

Open Source Tools:

  • SonarQube by OWASP

  • FindBugs for Java

  • Visual Code Grepper

  • YASCA etc…

Commercial Tools:

  • VeraCode

  • CheckMarx

  • HP Fortify

  • Appscan Source etc…

Note: The order of the tools above does not highlight the efficiency of the tools.


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. What is the difference in quality between the open source tools versus the commercial tools available?

  2. Nice post Chiru!!

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Get more out of Cybrary
Reach an audience of 1,500,000+ IT and cyber professionals, including the world's top companies
Create impact at a scale by reaching a global audience
Build your personal brand
Supplement or replace your income (average instructor makes ~$1,000 - $2,000/month)
Access the world's largest talent pool of cyber security professionals, and receive candidates with pre-assessed technical skills
Eliminate the pain and costs of technical vetting
Receive candidate skill profiles highlighting knowledge and technical proficiency
Reach active and passive candidates; and, fill your pipeline with pre-vetted, qualified cyber professionals
Get a Job
Work with a dedicated mentor to help you select the career that's right for you, and get a job at one of the world's top companies.
Receive all the training and assessments you need to prepare for the job
Work with a dedicated Mentor
Get placed through Cybrary for jobs earning average salaries of $116,000/yr

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?